
So here is a noob question (maybe even dumb?) but I need to ask it. I have a vue app which connects to my Appwrite instance using the API endpoint, project ID and it reads and writes using the Database ID etc. I guess those variabes have to be part of the front end in a production scenario. But how does Appwrite know which requests are legitimate and not? My vue-app does not really "authenticate" itself in any way. Is it through role/user settings in auth + limits to API calls per time unit? Can access to the endpoint and ID-strings above hurt me in production and do I have to hide/obfuscate them somehow (as we do with e.g. SMTP Keys using environment variables inside appwrite).

Hide API Endpoint, Project ID, Database ID etc in front end?

endpoint, project id, are fine to be public. it's the same as working with any sort of backend. the client MUST have this information in order to connect.
the best way to lock things down is by requiring authentication and setting up server side validation via permissions

Thanks @Steven ! This was my assumption, but didn't want to assume too much when it comes to these topics 🙂

Happy to help. And the most important thing is to not use API keys client side!
Recommended threads
- Failed to fetch
Hi team, can someone help me with my project? I'm not a programmer, but I'm working on a website that's experiencing a failed to fetch error. It's probably due ...
- No more access to Appwrite sites
Dear Appwrite-Team I got access to Appwrite Sites today and have already started setting up my projects. Now that I urgently need to view the logs of my Appwri...
- DNS help
I need the appwrite console in api.xxxxxxx.com and a next.js website in xxxxxxx.com how can i achive this
